[CB21] Were "2020" Subdomains Abused Actually? - Mining the Real Threat Hidden in Subdomains by Tsuyoshi Taniguchi

Copy right 2021 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
Were "2020" Subdomains Abused Actually?
- Mining the Real Threat Hidden
in Subdomains
0
CODE BLUE 2021
（October 20th, 2021）
FUJITSU SYSTEM INTEGRATION LABORATORIES LTD.
Tsuyoshi TANIGUCHI

Tsuyoshi TANIGUCHI
◼ Fujitsu System Integration Laboratories Researcher, Ph.D.
◼ Mar. 2008 - Hokkaido University Ph.D. (computer science)
◼ Apr. 2008 - Researcher, FUJITSU
◼ Apr. 2016 - Researcher, FUJITSU SYSTEM INTEGRATION LABORATORIES
LTD
◼ Speaker
CODE BLUE 2017 Day0 Special Track Counter Cyber Crime Track
CODE BLUE 2018, CODE BLUE 2020
Black Hat Asia 2021, ACM ASIACCS 2021
International collaboration with Prof. Doerr (Hasso Plattner Institute)
https://www.youtube.com/watch?v=y8Z9KnL8s8s (Presentation in Black Hat Asia 2021)
1

Acknowledgment
◼ Christian Doerr, Ph.D.
◼ Professor Cybersecurity + Enterprise Security
Hasso Plattner Institute for Digital Engineering
◼ The list of domain names
◼ The domain names are gathered from the zone files
of the various TLD operators directly, with whom Prof.
Doerr has an agreement
◼ As of Feb. 15, 2021
◼ To check registrations of numeric domain
names
https://hpi.de/forschung/fachgebiete/cybersecurity-enterprise-security.html
https://www.cyber-threat-intelligence.com/people/christian/
2

Timeline
2005 2010 2013 2020 2021
Apr. 2006
Tokyo
Stood as a candidate
Oct. 2009
Rio de Janeiro
Jul. 2011
Tokyo
Sep. 2013
Tokyo
Original event days
Jul. 22 to Aug. 9
Actual event days
Jul. 21 to Aug. 8
Postponed
CODE BLUE 2020 (Oct. 31, 2020)
Called attention to “2020” subdomains
CODE BLUE 2021 (Oct. 20, 2021)
Were "2020" Subdomains Abused
Actually?
3

When Could Suspicious (Sub)domains be Abused?
2005 2010 2013 2020 2021
tokyo2016
Typosquatting
tokyo2020
Typosquatting
tokyo2021
Typosquatting
Were “2020” subdomains abused for impersonating tokyo2020?
Typosquatting：the method for targeting typos by users when they directly input URLs
Apr. 2006
Tokyo
Oct. 2009
Rio de Janeiro
Jul. 2011
Tokyo
Sep. 2013
Tokyo
Original event days
Jul. 22 to Aug. 9
Actual event days
Jul. 21 to Aug. 8
Postponed
4

Mining the Real Threat Hidden in Subdomains
2005 2010 2013 2020 2021
“2020” subdomains
Apr. 2006
Tokyo
Stand as a candidate
Oct. 2009
Rio de Janeiro
Jul. 2011
Tokyo
Sep. 2013
Tokyo
Original event days
Jul. 22 to Aug. 9
Actual event days
Ju. 21 to Aug. 8
Postpone
Mining the real threat hidden in subdomains
What were hidden in subdomains?
5

CODE BLUE 2020: “2020” Subdomain Alert
tokyo.2020.TLD
tokyo2.020.TLD
tokyo20.20.TLD
tokyo202.0.TLD
“2020” domains: 2020.TLD, 020.TLD, 20.TLD, 0.TLD
“2020” subdomains：
• Explainable diagnosis: mid-to-long term
• Registered numeric domains long before Tokyo
stood as a candidate for Olympic Games
• Impersonate Tokyo by abusing subdomains
• Can impersonate Istanbul or Madrid
• Have not observed name resolutions yet
• Would these subdomains be abused
actually?
6

Subdomain Abuse
https://smbc-card.com.●●●●.com/
(Jul. 5, Phishing by impersonating Sumitomo Mitsui Card Company)
https://www.visa.co.jp.●●●●.●●●●/
(Jul. 6, phishing by impersonating VISA card)
Subdomain：
abuse legitimate URLs
Domain：anything is OK
Du, Kun, et al. "TL; DR hazard: A comprehensive study of levelsquatting scams." International
Conference on Security and Privacy in Communication Systems. Springer, Cham, 2019.
From emergency information by Council of Anti-Phishing Japan
Subdomain abuse based
on levelsquatting
• Can operate any
strings as subdomains
without any limitation
• Show a part of URLs
in a case of narrow
display space in smart
phones
Subdomain SLD TLD
7

Worried Scenario in tokyo2020
◼ Change of parked domains to malicious use during tokyo2020
1% of 6 million domains
(Mar. to Sep. 2020，according to the report by paloalto)
Parked domain
(advertisement display,
low risk)
C&C, malware distribution,
phishing
(malicious use，worst case)
Domain Parking: A Gateway to Attackers Spreading Emotet and Impersonating McAfee
https://unit42.paloaltonetworks.com/domain-parking/
8

Parked Domain
◼ Parking Sensor [Thomas Vissers et al., NDSS 2015]
Domain Owner
Parking Services
Advertisement
Syndicator
Advertiser
$
$
$
$
Domain
NS
Parking Page
AD
AD
AD
AD
(1)
(2)
(3)
(4)
Related links
Link
Link
Link
Link
9

Parked Domain: How to Confirm
◼ Parking Sensor: name servers or CNAME of 15 parking service providers
◼ Not many: the paper was published in 2015
◼ How to confirm
◼ Directly confirm the parked domains through browser
◼ Check the name server related to the above domain
◼ If the name server is not identified, then search the guidance of setting the nameserver
as parked domains by the parking service providers
◼ Add the name server to a list of parking service providers if the guidance is confirmed
◼ About 20 parking service providers were added to my checking list
Provider Name server
SedoParking sedoparking.com
Parkingcrew parkingcrew.net
Bodis bodis.com
… …
Attention: the parking service itself is legitimate
10

Parked Domain: How to Detect
1. dig command with NS option
◼ In a case where corresponding domain responded
◼ Extension function from my system in CODE BLUE 2018
2. Passive DNS NS record
◼ In a case where previous name resolutions of the corresponding domains
have occurred
3. WHOIS
◼ In a case where the registration records of the corresponding domain exist
11

How to Observe and Evaluate
Pre-event evaluation
(Feb. 18 to Jul. 19)
Actual observation
(Jul. 21 to Aug. 8)
Post-event evaluation
(Aug. 9 to Aug. 19)
• Previous Olympic Games
• rio2016
• pyeongchang2018
• Other events
• US presidential election
• The status of response
• Periodic response
• First and last seen
• Parked domain
• Response check based on
Passive DNS records
• Access http though browser
• The change of response
• Future Olympic Games
• beijing2022
• paris2024
12

Pre-Event Evaluation
Actual observation
(Jul. 21 to Aug. 8)
(Aug. 9 to Aug. 19)
“2016” (172 registrations) : 8 subdomains
16.com, 2016.com, 2016.info
rio.2016.com, …
“2018” (283 registrations) : 2 subdomains
18.com, 2018.com
pyeongchang.2018.com, …
US presidential election (“2020” domains): 61 subdomains
020.biz, 020.online, 020.org, 020.us, 20.com, 2020.com,
2020.house, 2020.win, 2020.us
trump.2020.com, biden.2020.com, trumpreelection2.020.org,
electionday2.020.org, …
A few abuses of
previous Olympic
Games
“2020”: trump, biden,
obama, election, vote
• Previous Olympic
Games
• rio2016
• pyeongchang2018
• Other events
• US presidential
election
• The status of response
• Periodic response
• First and last seen
• Parked domain
13

Pre-Event Evaluation: Hypothesis and Verification
◼ If someone abuses “2020” subdomains,
◼ then the subdomains start responding as tokyo2020 approaches
◼ Domain owners can operate subdomains anytime without any limitation
13:00
everyday
tokyo.2020.TLD
tokyo2.020.TLD
tokyo20.20.TLD
tokyo202.0.TLD
Public caching DNS
Response?
14

Pre-Event Evaluation: Periodic Response
About 50 subdomains were mapped to google cloud from Apr. 9
-> finish responding on May 9
15

Relation Between Parked Domains and Subdomains
tokyo.2020.TLD
x.x.x.x
It seemed that the subdomains responded,
but …
16

tokyo.2020.TLD
x.x.x.x
*.2020.TLD
(parked)
codeblue.2020.TLD
x.x.x.x
hogehoge.2020.TLD
x.x.x.x
DNS record
wildcard function
-> Any subdomains
responded for showing
the same ad page
17

tokyo.2020.TLD
x.x.x.x
*.2020.TLD
(parked)
Sensor
tokyo.2020.TLD IN A x.x.x.x
First Seen: ….
Last Seen: …
Passive DNS records
-> Anonymization of
source information
Taniguchi
-> finished on Jul. 7
Victims
x.x.x.x
tokyo.2020.TLD
18

Actual Observation: Target
tokyo2020
typosquatting
tokyo2021
“2020”subdomains
187
82
203 -> 605
(402 addition)
tokyo-2020.TLD, tokio2020.TLD
tokoy2020.TLD, tokyo2020.TLD
tokyo.2020.TLD, tokyo2.020.TLD
tokyo20.20.TLD, tokyo202.0.TLD
Response status (pre-event evaluation as of Jul. 19)
Response
(Passive DNS)
Parked domains Malicious
Typosquatting 32% (88/269) 34% (30/88) 8% (7/88)
“2020” subdomains 15% (91/605) 54% (49/91) 3% (3/91)
Malicious: 1 or more vendors judged malicious (phishing) or suspicious in VirusTotal
19

tokyo2020 Typosquatting tokyo2021
Pre-Evaluation First and Last Seen
Sudden increase of
tokyo2021 registrations
soon after the
announcement of the
postponement of
tokyo2020
Around 30% responses of
tokyo2020 typosquatting
First
Seen
Last
Seen
20

“2020” Subdomains
Pre-Evaluation First and Last Seen
Jan. 28: started querying
Jul. 7: finished querying
tokyo202.0.org: 2019/2/4, 2020/2/2
tokyo20.20.org: 2019/5/30, 2019/11/26
tokyo20.20.com: 2019/5/30
tokyo2.020.org: 2020/2/2
First
Seen
Last
Seen
21

Actual Observation, Post-Event Evaluation
Actual observation
(Jul. 21 to Aug. 8)
(Aug. 9 to Aug. 19)
• Response check based on
Passive DNS records
• Access http though browser
• The change of response
• Future Olympic Games
• beijing2022
• paris2024
22

tokyo2020 Typosquatting tokyo2021
Actual Observation
Stood out name
resolutions near
Opening or
Closing
ceremony
23

“2020” Subdomain
Actual Observation
Jul. 7: name resolution for periodic
response (by Taniguchi) Jul. 28:
ticket.tokyo2.020.org
ticket.tokyo20.20.org
24

Actual Observation, Post-Event Evaluation
Actual observation
(Jul. 21 to Aug. 8)
(Aug. 9 to Aug. 19)
Response (Jul. 19) Response (Aug. 9)
Typosquatting 32% (88/269) 35% (94/269)
“2020” subdomains 15% (91/605) 0.5% (3/605)
tokyo.2020.shop
tokyo2.020.org, ticket.tokyo2.020.org
tokyo20.20.org, ticket.tokyo20.20.org
“2020” subdomains：a few ｔokyo-related subdomains,
but many other subdomains
“2022”, “2024”：
only query by me
Subdomain follow-up
evaluation
Typosquatting: could observe responses, but did not observe serious threat
25

Mining the Real Threat Hidden in Subdomains
2005 2010 2013 2020 2021
“2020” subdomains
Apr. 2006
Tokyo
Oct. 2009
Rio de Janeiro
Jul. 2011
Tokyo
Sep. 2013
Tokyo
Original event days
Jul. 22 to Aug. 9
Actual event days
7/21 – 8/8
Postpone
Mining the real threat hidden in subdomains
What were hidden in subdomains?
26

Subdomain
◼ A domain is divided into subdomains by purpose or by use
◼ Ex. yahoo.co.jp
.yahoo.co.jp
.yahoo.co.jp
.yahoo.co.jp
.yahoo.co.jp
shopping
auctions
weather
news
shopping
auction
weather
news
27

How to Search Subdomains (1/2)
◼ FARSIGHT DNSDB API VERSION 1 DOCUMENTATION
◼ https://docs.dnsdb.info/dnsdb-api/
◼ I have not used Version 2 yet
◼ 2. Lookup all RRsets whose owner name ends in farsightsecurity.com,of
type NS, in the farsightsecurity.com zone
◼ curl -i -H 'Accept: text/plain' -H "X-API-Key: $DNSDB_API_KEY"
"https://api.dnsdb.info/lookup/rrset/name/*.farsightsecurity.com/ns/farsightsecurity.co
m"
Based on the above API, wildcard function can collect all records
◼ -> curl -i -H 'Accept: text/plain' -H "X-API-Key: $DNSDB_API_KEY"
"https://api.dnsdb.info/lookup/rrset/name/*.domain.com?limit=1000000"
28

How to Search Subdomains (2/2)
domain.com IN A x.x.x.x
IN NS ns1.domain.com
domain.com
.domain.com IN A x.x.x.x
subdomain1
.domain.com IN A x.x.x.x
subdomain2
ns1 .domain.com IN A y.y.y.y
Attention: NOT capture
A records of name servers
Capture strings other
than www before SLD
A case of *.domain.com
29

The Response Status of Subdomains
Subdomain No subdomain
tokyo2020 typo 46% (84/183) 54% (99/183)
tokyo2021 11% (8/75) 89% (67/75)
“2020” subdomains 61% (357/583) 39% (226/583)
◼ The histories of name resolutions of subdomains are not always observed
◼ Domain owners operate subdomains
◼ Someone queries for the subdomains shop, booking, ticket,
myinfo stood out during
tokyo2020
ticket.tokoy2020.org
myinfo.tokoy2020.org
shop.toko.2020.com
booking.toko.2020.com
Around 10%: over 100 subdomains
In the maximum case: over 10,000 subdomains, not related to tokyo2020
No strategic operations
based on ad hoc registrations
Based on directly checking, I noticed many brands
30

Brand Abuse: How to Detect
.12.com IN A x.x.x.x
mail.yahoo
facebook
Brand domains from Alexa
Top 1,000
SLD list
Delete duplication of SLD
5 or more characters
(to avoid detecting many random strings)
Levelsquatting: legitimate URLs
-> rarely detect
archive
Substring
matching
www.google
31

Brand Abuse: Analysis Target
◼ Target: “2010”, “2011”, …, “2024” subdomains
◼ Analysis of “Olympic year” -> concluded an in-depth analysis of brand abuse of
numeric domains
Domain registration 3,783
Target domains 3,548
Subdomains 1,529,678
Domains (brand abuse) 288
Subdomains (brand abuse) 3,252
Parked domains 142
Malicious judgement 39
8.12% (For target domains)
0.21% (For all subdomains)
49.31% (For brand abuse)
13.54% (For brand abuse)
Passive DNS records exists
32

Brand Abuse: Summary
Rank Abused brand Domain Abused TLD
1 google (1080) 14.net (947) .com (38)
2 yahoo (376) 12.com (352) .org (24)
3 facebook (240) 20.com (160) .se (15)
4 wordpress (106) 0.io (93) .net (13)
5 youtube (67) 16.com (93) .app (11)
Malicious in VirusTotal
Top-30 Malicious
judgement：9/30 (30%)
Most of google abuse in
subdomains of 14.net
The number of
TLD: 116
33

Brand Abuse: “2016”, “2017”, …,“2024”
◼ 2016: Rio, 2018: PyeongChang, 2020: Tokyo, 2022: Beijing, 2024: Paris
◼ 2017, 2019, 2021, 2023: not related to Olympic Games
◼ Similar abuse status
“2016” “2017” “2018” “2019” “2020” “2021” “2022” “2023” “2024”
1 yahoo google facebook netflix google microsoft yahoo yahoo bet365
2 facebook verizon wordpress google yahoo wordpress verizon youtube wordpress
3 google india yahoo instagram bet365 google wordpress google google
4 wordpress wordpress youtube yahoo wordpress youtube facebook wordpress business
5
instagram apple pornhub facebook amazon github apple apple twitch
facebook xvideos
34

Brand Abuse + Event Abuse (Olympic Games)
◼ 20.org, 2018.com, 16.com, 2016.com
◼ 16.com: 93 subdomains
◼ yahoo.16.com, twitter.16.com, facebook.16.com, verizon.16.com,
instagram.16.com, wordpress.16.com
◼ rio20.16.com
◼ 2016.com: 40 subdomains
◼ google.2016.com, twitter.2016.com, microsoft.2016.com, yahoo.2016.com,
www.whatsapp.2016.com, www.baidu.2016.com
◼ rio.2016.com
35

Concern: Future Olympic Games
api-huffpost.24.com
First Seen: Feb. 7, 2018
Last Seen: Jun. 29, 2018
facebook.24.com
Jun. 6, 2019
Jun. 6, 2019
weather-api.24.com
Apr. 1, 2020
Aug. 21, 2021
paris20.24.com
? ?, 2024
◼ beijing2022.cn, paris2024.org
◼ Only brand abuses in relation to ”2022” and “2024” as of Aug. 2021
◼ Malicious in VirusTotal: only 24.com
Around 2010: googlesearch.24.com, weather.24.com
From 2018: brand abuse has been observed
Only my query regarding paris20.24.com
◼ Please be careful regarding this potential threat
Paris2024
36

How to Guide Users to Undesired Sites
◼ typosquatting or URL click
Rarely occur typosquatting of
. (dot)
https://www.tokio2020.com
Directly input URLs in browser
y -> i
Click !
http://www.ticket.tokyo20.20.org
URL click
Phishing e-mail
37
Typo-generation models [Microsoft, Strider Typo-Patrol, 2006]
One-characterdistance, fat finger distance[Long “Taile”, Szurdi,
Janos, et al., 2014]

(Hypothetical) Potential Threat: Wildcard Phishing
◼ Phishing e-mail + wildcard subdomains
◼ Divide an e-mail operation into a domain operation
WHOIS
Registration: ●●●●.com
*.●●●●.com
facebook.com.●●●●.com
x.x.x.x
Click !
http://www.facebook.com.●●●●.com
Victims
Voluntarily query band
subdomains
Domain operation：wildcard ->
Subdomain queries are hidden
in Passive DNS records
Phishing e-mail
Click !
http://www.google.com.●●●●.com
google.com.●●●●.com
x.x.x.x
WHOIS: Not footprints
of brand abuse
38

Countermeasure
◼ Blocking policy (in organizational network)
◼ Block numeric domains other than legitimate top sites (whitelist):
Ex (whitelist). 360.cn, 6.cn, 163.com, 1688.com (Alibaba from china), 58.com
◼ Block parked numeric domains during events
Ex. “2020” parked domains are blocked during tokyo2020
◼ Block a particular string in subdomains of the numeric domain
ticket, myinfo, shop, booking, brand domains
◼ Regulation of subdomain operations (by DNS registrar, registry)
◼ Do not click doubtful URLs in suspicious e-mail or SMS (end
users)
39

Summary
◼ Observation of worried scenario in tokyo2020
◼ Did not observe in pre-event evaluation and actual observation
◼ ticket.tokyo2.020.org,ticket.tokyo20.20.org
◼ Threat hidden in subdomains
◼ Brand abuse
◼ And abuse of string of Olympic Games
◼ Contributions
◼ Parked domains: not judged as malicious by security vendors
◼ Subdomains: difficultto analyze without special techniques
◼ Mining potentialthreats hidden in subdomains of parkeddomains
Adversaries can freely abuse brand domainsby abusing subdomainswith DNS wildcard
function
Brand Abuse + Event Abuse: continuousthreat regarding the change of parked domains to
malicioususe
40

[CB21] Were "2020" Subdomains Abused Actually? - Mining the Real Threat Hidden in Subdomains by Tsuyoshi Taniguchi

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to [CB21] Were "2020" Subdomains Abused Actually? - Mining the Real Threat Hidden in Subdomains by Tsuyoshi Taniguchi

Similar to [CB21] Were "2020" Subdomains Abused Actually? - Mining the Real Threat Hidden in Subdomains by Tsuyoshi Taniguchi (20)

More from CODE BLUE

More from CODE BLUE (20)

Recently uploaded

Recently uploaded (20)

[CB21] Were "2020" Subdomains Abused Actually? - Mining the Real Threat Hidden in Subdomains by Tsuyoshi Taniguchi